tags:

views:

497

answers:

4
+6  Q: 

benefits of "HTTP authentication with PHP"

what are the benefits of using HTTP authentication with PHP (HTTP 401 headers)
instead of using a normal form submit authentication??

+7  A: 

Your question is a bit vague, but the general answer is that using this method gives you a more "RESTful" implementation that follows what HTTP is already good at. In this case, throwing a 401 is something that other web servers, web proxies and web browsers know how to handle. If you're just spitting out an HTML form it is only actionable by an end user whereas using the HTTP status codes allow machine interaction.

I'd recommend checking out http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol to understand what HTTP really is. I think that should make all of this make more sense.

sammich  2009-01-10 21:02:33
A: 

You make websites? if yes, then use the <form> tag.. it's prettier ;)

You make apps to be accessed by other apps and dispatch some form of data? Then use HTTP auth.

As far as I know there is no big difference in security terms, or speed or whatever..it's just ugly and easier to implement.

Quamis  2009-01-10 22:23:31
A: 

As an example of what revolutiontrigger said, I most often use HTTP auth on RSS feeds for sites that use form-based auth, simply because many RSS readers can do HTTP auth, but can't do form-based auth.

Scott Reynen  2009-01-11 01:39:00
+9  A: 

From security perspective, both the form based and HTTP Basic Access Authentication use plain text for sending the authentication data. (Sure, HTTP Basic Auth additionally uses Base64, but that’s no hitch.)

While HTTP Basic Auth sends the authentication data on every request, the form based authentication only sends the authentication data when the form is sent (remember: both in plain text). Commonly sessions are used to maintain the state when using form based authentication.

So if you want to use one of these, be sure to encrypt your connection using HTTPS to prevent sniffing and man-in-the-middle attacks. And when you choose the form and session based variant, be sure to secure your session handling too to prevent or at least detect session frauds like Session Hijacking and Session Fixation.

The last variant is HTTP Digest Access Authentication. The main difference between this and Basic is, that Digest is a challenge-response authentication whereas the client has to fulfill a challenge on every request and the response is just a MD5 hash. So no authentication data in plain text is being send.

Gumbo  2009-01-11 11:56:59

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases